The Hertz Corporation has confirmed a data breach resulting from the exploitation of zero-day vulnerabilities in Cleo Communications' file transfer platform, marking the latest fallout in the broader “Cleo campaign” attributed to the Clop ransomware group.
The breach, which may have exposed a range of sensitive personal data, affects customers and possibly employees of Hertz, Dollar, and Thrifty brands.
The intrusion was confirmed by Hertz following unauthorized access that reportedly occurred in two separate attack waves in October and December 2024. The breach was traced to vulnerabilities in Cleo's managed file transfer (MFT) software, which Clop previously exploited in attacks on Blue Yonder, among others. Hertz completed its internal investigation on April 2, 2025, revealing that the attackers had successfully exfiltrated customer and employee data.
The compromised data includes full names, contact details, birth dates, driver's license numbers, and credit card information. For a subset of individuals, more sensitive identifiers such as Social Security numbers, passport data, Medicare or Medicaid IDs, and injury-related information linked to vehicle accident and workers' compensation claims were also impacted.
Hertz, a global car rental giant operating under multiple brands with thousands of locations worldwide, used Cleo's platform for limited data transfer functions. The firm emphasized that it had immediately launched an internal review, notified law enforcement, and is cooperating with regulators. In response to the breach, Cleo reportedly patched the exploited vulnerabilities, identified as CVE-2024-50623 and CVE-2024-55956, and took remedial actions to secure its platform.
As part of its mitigation efforts, Hertz has partnered with Kroll to offer two years of complimentary identity and dark web monitoring services to affected individuals in the United States. Impacted users are being contacted via personalized letters, including details on how to enroll in the protective services and steps they can take to monitor for identity theft.
CyberInsider has found that Clop has fully published Hertz's stolen data on its dark web leak site, making the breach particularly severe in terms of privacy impact, as the data is now free to download and misuse by anyone.
That being said, potentially impacted individuals are strongly advised to enroll in the Kroll-provided identity monitoring service before the stated deadline, monitor credit reports, and consider placing fraud alerts or credit freezes with major bureaus. Phishing attempts are also common in these cases, so people should remain vigilant.
Organizations using Cleo's platforms — Harmony, VLTrader, or LexiCom — should urgently update to version 5.8.0.24 or newer, audit systems for unusual file transfers, and enforce multi-factor authentication across all user accounts.
Leave a Reply